Configure the SAML attribute strings required to map the Entra ID security groups to
the ExtremeCloud IQ
Role-Based Access Control (RBAC) roles for authorization.
This step includes manually adding the additional Attributes/Claims required in the
Entra ID Enterprise Application to map user accounts to ExtremeCloud IQ
RBAC roles.
-
In Section 2:
Attributes & Claims, select
Edit.
-
Under Additional Claims, select a row from the
table.
The claim properties open.
| User Profile Attribute |
SAML Attribute |
AAD Value |
| Email * |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email |
user.userprincipalname |
| Group * |
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups |
user.groups[ApplicationGroup] |
| First Name |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
user.givenname |
| Last Name |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
user.surname |
* You must manually add to the Default Attributes and Claims created
by Entra ID.
The following Attributes and Claims edits are
required:
- Unique User ID – Change the value to
user.mail
- Default name claim – Change from name to
email
- Remove emailaddress claim with value user.mail
-
To add a group claim, from the Attributes and Claims page, select
Add a group claim.
-
Select Groups assigned to the application.
-
From the Source attribute list, select
Cloud-only group display names.
